Package: libxmltok Version: 1.2-4 Severity: normal Tags: patch User: ubuntu-de...@lists.ubuntu.com Usertags: origin-ubuntu kinetic ubuntu-patch
Dear Maintainer, While triaging CVE-2021-46143 for expat, it was found that one part of the reported integer oveflow, in doProlog() in xmlparse.c, is also present in libxmltok. So, I'm suggesting to apply this patch for libxmltok in Debian as well. In Ubuntu, the attached patch was applied to achieve the following: * SECURITY UPDATE: Integer overflow - debian/patches/CVE-2021-46143.patch: add an integer overflow check for groupSize variable at doProlog() in xmlparse/xmlparse.c. - CVE-2021-46143 Thanks for considering the patch. -- System Information: Debian Release: bookworm/sid APT prefers jammy-updates APT policy: (500, 'jammy-updates'), (500, 'jammy-security'), (500, 'jammy'), (100, 'jammy-backports') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 5.15.0-33-generic (SMP w/8 CPU threads) Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE Locale: LANG=en_US.UTF-8, LC_CTYPE=pt_BR.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled
diff -Nru libxmltok-1.2/debian/patches/CVE-2021-46143.patch libxmltok-1.2/debian/patches/CVE-2021-46143.patch --- libxmltok-1.2/debian/patches/CVE-2021-46143.patch 1969-12-31 21:00:00.000000000 -0300 +++ libxmltok-1.2/debian/patches/CVE-2021-46143.patch 2022-05-30 16:58:54.000000000 -0300 @@ -0,0 +1,29 @@ +Description: backport of libexpat upstream patch + Backport of libexpat patch that is included in libxmltok: + Prevent integer overflow on groupSize in function doProlog +Author: Rodrigo Figueiredo Zaiden <rodrigo.zai...@canonical.com> +Origin: upstream, https://github.com/libexpat/libexpat/commit/82c11af9d3dafc1b086a15efecd6ec07b6e13613 +Bug: https://github.com/libexpat/libexpat/issues/532 +Forwarded: no +Last-Update: 2022-05-27 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +--- libxmltok-1.2.orig/xmlparse/xmlparse.c ++++ libxmltok-1.2/xmlparse/xmlparse.c +@@ -2616,9 +2616,14 @@ doProlog(XML_Parser parser, + #endif /* XML_DTD */ + case XML_ROLE_GROUP_OPEN: + if (prologState.level >= groupSize) { +- if (groupSize) ++ if (groupSize) { ++ /* Detect and prevent integer overflow */ ++ if (groupSize > (unsigned int)(-1) / 2u) { ++ return XML_ERROR_NO_MEMORY; ++ } ++ + groupConnector = realloc(groupConnector, groupSize *= 2); +- else ++ } else + groupConnector = malloc(groupSize = 32); + if (!groupConnector) + return XML_ERROR_NO_MEMORY; diff -Nru libxmltok-1.2/debian/patches/series libxmltok-1.2/debian/patches/series --- libxmltok-1.2/debian/patches/series 2017-08-10 08:53:42.000000000 -0300 +++ libxmltok-1.2/debian/patches/series 2022-05-30 16:58:54.000000000 -0300 @@ -1 +1,2 @@ debian-changes.patch +CVE-2021-46143.patch